27 May 2023

Weeked Round-Down: Bleeping Computer

CosmicEnergy was discovered after a sample was uploaded to the VirusTotal malware analysis platform in December 2021

"Although we have not identified sufficient evidence to determine the origin or purpose of COSMICENERGY, we believe that the malware was possibly developed by either Rostelecom-Solar or an associated party to recreate real attack scenarios against energy grid assets," Mandiant said.

New Russian-linked CosmicEnergy malware targets industrial systems

 
  • May 25, 2023
  •  
  • 11:27 AM
  •  
  • 0

Malware

"Mandiant security researchers have discovered a new malware called CosmicEnergy designed to disrupt industrial systems and linked to Russian cybersecurity outfit Rostelecom-Solar (formerly Solar Security).

The malware specifically targets IEC-104-compliant remote terminal units (RTUs) commonly used in electric transmission and distribution operations across Europe, the Middle East, and Asia.

CosmicEnergy was discovered after a sample was uploaded to the VirusTotal malware analysis platform in December 2021 by someone with a Russian IP address.

Analysis of the leaked malware sample has revealed several noteworthy aspects regarding CosmicEnergy and its functionality.

First, the malware shares similarities with previous OT malware like Industroyer and Industroyer.V2, both used in attacks targeting Ukrainian energy providers in December 2016 and April 2022.

Additionally, it's Python-based and uses open-source libraries for OT protocol implementation, just like other malware strains targeting industrial control systems, including IronGateTriton, and Incontroller.

Just like Industroyer, CosmicEnergy likely gains access to the target's OT systems via compromised MSSQL servers using the Piehop disruption tool.

Once inside the victims' network, the attackers can control RTUs remotely by issuing IEC-104 "ON" or "OFF" commands via the Lightwork malicious tool.

CosmicEnergy execution chain
CosmicEnergy execution chain (Mandiant)

  • ​Mandiant believes this newly discovered malware may have been developed as a red teaming tool designed to simulate disruption exercises by Russian cybersecurity company Rostelecom-Solar.
  • Based on public information showing that Rostelecom-Solar received funding from the Russian government for cybersecurity training and simulating electric power disruption, Mandiant suspects CosmicEnergy could also be used by Russian threat actors in disruptive cyberattacks targeting critical infrastructure like other red team tools.

"During our analysis of COSMICENERGY, we identified a comment in the code that indicated the  sample uses a module associated with a project named 'Solar Polygon.' We searched for the unique string and identified a single match to a cyber range (aka polygon) developed by Rostelecom-Solar," Mandiant said.

"Although we have not identified sufficient evidence to determine the origin or purpose of COSMICENERGY, we believe that the malware was possibly developed by either Rostelecom-Solar or an associated party to recreate real attack scenarios against energy grid assets," Mandiant said.

"Given that threat actors use red team tools and public exploitation frameworks for targeted threat activity in the wild, we believe COSMICENERGY poses a plausible threat to affected electric grid assets."

As Microsoft reported in April 2022, after Russia invaded Ukraine, Russian hacking groups have deployed many malware families (some of them never before seen in the wild) in destructive attacks against Ukrainian targets, including critical infrastructure.

The list includes but is not limited to 

The Sandworm Russian military hackers used the Industroyer2 malware to target the ICS network of a prominent Ukrainian energy provider but failed to take down its high-voltage electrical substations and disrupt energy delivery across the country."

Related Articles:

FBI nukes Russian Snake data theft malware with self-destruct command

US, UK warn of govt hackers using custom malware on Cisco routers

‘Operation Magalenha’ targets credentials of 30 Portuguese banks

New PowerExchange malware backdoors Microsoft Exchange servers

GoldenJackal state hackers silently attacking govts since 2019

 

 

SERGIU GATLAN  
Sergiu Gatlan has covered cybersecurity, technology, and other news beats for more than a decade. Email or Twitter DMs for tips.
POPULAR STORIES

MORE 

No comments:

Take-A-Ride on The Wild Side....

  CARTOON CAROUSEL The nation’s cartoonists on the week in politics By  POLITICO Staff